From: Andrey Ryabinin <aryabinin@virtuozzo.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
stable@vger.kernel.org
Subject: [PATCH v2 1/3] fs/fuse, splice_write: Don't access pipe->buffers without pipe_lock()
Date: Tue, 17 Jul 2018 19:00:33 +0300 [thread overview]
Message-ID: <20180717160035.9422-1-aryabinin@virtuozzo.com> (raw)
In-Reply-To: <CAJfpegvAAQTAjxLcQLefvFOQDJ6ug_G8Jggt=UZci+YnNP741A@mail.gmail.com>
fuse_dev_splice_write() reads pipe->buffers to determine the size of
'bufs' array before taking the pipe_lock(). This is not safe as
another thread might change the 'pipe->buffers' between the allocation
and taking the pipe_lock(). So we end up with too small 'bufs' array.
Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this.
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org>
---
fs/fuse/dev.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index c6b88fa85e2e..702592cce546 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1944,12 +1944,15 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
if (!fud)
return -EPERM;
+ pipe_lock(pipe);
+
bufs = kmalloc_array(pipe->buffers, sizeof(struct pipe_buffer),
GFP_KERNEL);
- if (!bufs)
+ if (!bufs) {
+ pipe_unlock(pipe);
return -ENOMEM;
+ }
- pipe_lock(pipe);
nbuf = 0;
rem = 0;
for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)
--
2.16.4
next prev parent reply other threads:[~2018-07-17 15:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-16 16:03 [PATCH 1/2] fs/fuse, splice: use kvmalloc to allocate array of pipe_buffer structs Andrey Ryabinin
2018-07-16 16:03 ` [PATCH 2/2] fs/fuse, splice_write: reduce allocation size Andrey Ryabinin
2018-07-17 14:47 ` Miklos Szeredi
2018-07-17 15:45 ` Andrey Ryabinin
2018-07-17 16:00 ` Andrey Ryabinin [this message]
2018-07-17 16:00 ` [PATCH v2 2/3] fs/fuse, splice: use kvmalloc to allocate array of pipe_buffer structs Andrey Ryabinin
2018-07-17 16:00 ` [PATCH v2 3/3] fs/fuse, splice_write: reduce allocation size Andrey Ryabinin
2019-06-12 8:57 ` [PATCH v2 1/3] fs/fuse, splice_write: Don't access pipe->buffers without pipe_lock() Vlastimil Babka
2019-06-13 9:10 ` Andrey Ryabinin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180717160035.9422-1-aryabinin@virtuozzo.com \
--to=aryabinin@virtuozzo.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.